MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3
SHA3-384 hash: 172bfb85418ace2a6d1a8c96c8a706cff9e8daa98cb268d834473997873924181226451a94d5238e17b9fc202b002205
SHA1 hash: baa569318144905563b469a5a006ad54eb616a02
MD5 hash: 0538e73fc195c3b4441721d4c60d0b96
humanhash: idaho-seven-bacon-beryllium
File name:Scan Document Products Inquiry Order.exe
Download: download sample
File size:360'112 bytes
First seen:2025-10-06 10:02:44 UTC
Last seen:2025-10-09 11:45:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a8face209c2457255f6ff7cf56dbf80
ssdeep 6144:Icf1ilncapZSD4CPpdOHFCJdCCKCjdHvvpphA7vvI1k:Lf+capZO4uaEJECKc3phAU1k
TLSH T1C4747C1279808432C2B738704679F1B21DBEBC315D645A9E23EC2D7A5FB45907B29B2F
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter cocaman
Tags:exe INVOICE signed

Code Signing Certificate

Organisation:Canon Inc.
Issuer:VeriSign Class 3 Code Signing 2010 CA
Algorithm:sha1WithRSAEncryption
Valid from:2015-03-30T00:00:00Z
Valid to:2018-04-18T23:59:59Z
Serial number: 20a947947e703391c3008b626606fa8f
Thumbprint Algorithm:SHA256
Thumbprint: b948157b602a24c980bf6d0fb92f298a33153cc4d2f6533e6e238833f01820db
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
129
# of downloads :
65
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30768/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68deba62b54520161ad47dcc
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint masquerade microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/68e39430c74bd2958b15e8a2/reports/81b73bee-53d4-4fe7-a376-21c1c7c9d0da/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3
Verdict:
Clean
File Type:
exe x32
First seen:
2018-02-12T11:11:00Z UTC
Last seen:
2025-10-06T07:56:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5ac169ed-ea82-4f52-bc3c-d74993b7af96
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1789632
Signature
Initial sample is a PE file and has a suspicious name
Sample has a suspicious name (potential lure to open the executable)
Behaviour
Behavior Graph:
Download SVG
Score:
3%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0538e73fc195c3b4441721d4c60d0b96
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3lw7juo7hq2o4c2qsoupm6z3tpznhrtfpk3znubhblzykekc3jq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251006-l3j6qssqs2/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8da55209-d97b-430a-b367-762355d53e87
Unpacked files
SH256 hash:
4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3
MD5 hash:
0538e73fc195c3b4441721d4c60d0b96
SHA1 hash:
baa569318144905563b469a5a006ad54eb616a02
Link:
https://www.unpac.me/results/ace30d9a-3ede-4c02-add8-c2ac0da5003b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

xz 9f702282e8b9c1edbfa3ae5b559ec40e03f0a35a897a592fb7660df5af9a2779

Executable exe 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9f702282e8b9c1edbfa3ae5b559ec40e03f0a35a897a592fb7660df5af9a2779
  
Dropped by
MD5 bfd946f6b0030e55a7bfaa36185b8439
Cape
Cape
https://www.capesandbox.com/analysis/30768/

Comments